fix: use parameterized query in get_face_ids to prevent SQL injection

The name parameter was interpolated directly into the SQL query via f-string, allowing SQL injection through crafted face name values. Use a parameterized query with ? placeholder instead.
2026-03-17 21:58:22 +03:00 · 2026-03-17 06:56:25 +08:00 · 2026-03-17 06:56:25 +08:00 · 3a4479397c
commit 3a4479397c
parent 722ef6a1fe
1 changed files with 3 additions and 3 deletions
--- a/frigate/embeddings/init.py
+++ b/frigate/embeddings/init.py
@ -205,14 +205,14 @@ class EmbeddingsContext:
        )

    def get_face_ids(self, name: str) -> list[str]:
-        sql_query = f"""
+        sql_query = """
            SELECT
                id
            FROM vec_descriptions
-            WHERE id LIKE '%{name}%'
+            WHERE id LIKE ?
        """

-        return self.db.execute_sql(sql_query).fetchall()
+        return self.db.execute_sql(sql_query, (f"%{name}%",)).fetchall()

    def reprocess_face(self, face_file: str) -> dict[str, Any]:
        return self.requestor.send_data(